diff options
Diffstat (limited to 'poky/meta/recipes-support')
4 files changed, 74 insertions, 106 deletions
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..46c57afb73 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch @@ -0,0 +1,51 @@ +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 +From: Eric Vigeant <evigeant@gmail.com> +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +CVE: CVE-2023-27534 +Note: +- The upstream patch for CVE-2023-27534 does three things: +1) creates new path with dynbuf(dynamic buffer) +2) solves the tilde error which causes CVE-2023-27534 +3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. +- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. +- This patch completes the 3rd task of the patch which was implemented without using dynbuf +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..40b92ee 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.24.4 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch index aeeffd5fea..3ecd181290 100644 --- a/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 9 Mar 2023 16:22:11 +0100 Subject: [PATCH] curl_path: create the new path with dynbuf +Closes #10729 + CVE: CVE-2023-27534 -Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> --- - lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- - 1 file changed, 35 insertions(+), 36 deletions(-) + lib/curl_path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/curl_path.c b/lib/curl_path.c -index f429634..e17db4b 100644 +index 40b92ee..598c5dd 100644 --- a/lib/curl_path.c +++ b/lib/curl_path.c -@@ -30,6 +30,8 @@ - #include "escape.h" - #include "memdebug.h" - -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */ -+ - /* figure out the path to work with in this particular request */ - CURLcode Curl_getworkingpath(struct connectdata *conn, - char *homedir, /* when SFTP is used */ -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, - real path to work with */ - { - struct Curl_easy *data = conn->data; -- char *real_path = NULL; - char *working_path; - size_t working_path_len; -+ struct dynbuf npath; - CURLcode result = - Curl_urldecode(data, data->state.up.path, 0, &working_path, - &working_path_len, FALSE); - if(result) - return result; - -+ /* new path to switch to in case we need to */ -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); -+ - /* Check for /~/, indicating relative to the user's home directory */ -- if(conn->handler->protocol & CURLPROTO_SCP) { -- real_path = malloc(working_path_len + 1); -- if(real_path == NULL) { -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { -+ /* It is referenced to the home directory, so strip the leading '/~/' */ -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { - free(working_path); - return CURLE_OUT_OF_MEMORY; - } -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) -- /* It is referenced to the home directory, so strip the leading '/~/' */ -- memcpy(real_path, working_path + 3, working_path_len - 2); -- else -- memcpy(real_path, working_path, 1 + working_path_len); +@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + memcpy(real_path, working_path, 1 + working_path_len); } -- else if(conn->handler->protocol & CURLPROTO_SFTP) { + else if(conn->handler->protocol & CURLPROTO_SFTP) { - if((working_path_len > 1) && (working_path[1] == '~')) { -- size_t homelen = strlen(homedir); -- real_path = malloc(homelen + working_path_len + 1); -- if(real_path == NULL) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- /* It is referenced to the home directory, so strip the -- leading '/' */ -- memcpy(real_path, homedir, homelen); -- real_path[homelen] = '/'; -- real_path[homelen + 1] = '\0'; -- if(working_path_len > 3) { -- memcpy(real_path + homelen + 1, working_path + 3, -- 1 + working_path_len -3); -- } -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { -+ size_t len; -+ const char *p; -+ int copyfrom = 3; -+ if(Curl_dyn_add(&npath, homedir)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } -- else { -- real_path = malloc(working_path_len + 1); -- if(real_path == NULL) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- memcpy(real_path, working_path, 1 + working_path_len); -+ /* Copy a separating '/' if homedir does not end with one */ -+ len = Curl_dyn_len(&npath); -+ p = Curl_dyn_ptr(&npath); -+ if(len && (p[len-1] != '/')) -+ copyfrom = 2; -+ -+ if(Curl_dyn_addn(&npath, -+ &working_path[copyfrom], working_path_len - copyfrom)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } - } - -- free(working_path); -+ if(Curl_dyn_len(&npath)) { -+ free(working_path); - -- /* store the pointer for the caller to receive */ -- *path = real_path; -+ /* store the pointer for the caller to receive */ -+ *path = Curl_dyn_ptr(&npath); -+ } -+ else -+ *path = working_path; - - return CURLE_OK; - } ++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { + size_t homelen = strlen(homedir); + real_path = malloc(homelen + working_path_len + 1); + if(real_path == NULL) { -- -2.25.1 +2.24.4 diff --git a/poky/meta/recipes-support/curl/curl_7.69.1.bb b/poky/meta/recipes-support/curl/curl_7.69.1.bb index 32d18ddb3a..13ec117099 100644 --- a/poky/meta/recipes-support/curl/curl_7.69.1.bb +++ b/poky/meta/recipes-support/curl/curl_7.69.1.bb @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-35260.patch \ file://CVE-2022-43552.patch \ file://CVE-2023-23916.patch \ + file://CVE-2023-27534-pre1.patch \ file://CVE-2023-27534.patch \ file://CVE-2023-27538.patch \ file://CVE-2023-27533.patch \ diff --git a/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb b/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb index 5b32b9af41..58925738cb 100644 --- a/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb +++ b/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb @@ -29,6 +29,12 @@ HOMEPAGE = "https://libbsd.freedesktop.org/wiki/" # License: public-domain-Colin-Plumb LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD" LICENSE_${PN} = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD" +LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD" LIC_FILES_CHKSUM = "file://COPYING;md5=2120be0173469a06ed185b688e0e1ae0" SECTION = "libs" |